Access Control and the Bell-LaPadula Model

CS 4235

Historical Background

• Physical Access Control• No mixing of data (sensitive vs not)• Hardwired terminal access• No multiplexing of users and data• What happens when all the data is stored in

the same place and users with different trust levels are allowed to access?

• Multi-level security problem

Documents vs People

• Documents have classifications– Top Secret– Secret– Confidential– Unclassified

• Sensitive• Non sensitive

• People have Clearances– Top Secret– Secret– Q

There are also code words that are not classifications

• ULTRA identified information encrypted with Enigma machines• Categories – now material is handled

– Sensitive compartmented information (SCI) - Intelligence• Operations and methods• Nuclear secrets• Stealth

– Special Access Programs (SAP) -- Defense• Acknowledged• Unacknowledged• Waived

– Solves two logistical problems• Collateral clearances for everyone would be expensive• Need to limit information to those with need to know

– SIGMA (Department of Energy)– SAP/SCI requires Secure Compartmented Information Facility (SCIF)

Caveats and Other Codes

• NOFORN• RESTRICTED• NO CONTRACTOR• REL TO <Country Code>• ORCON• FOUO• PROPIN• SECRET//<compartment

name>//NOFORN//ORCON//25X1

People are cleared to

• Classification levels• Categories• Other Labels

Discretionary Access Control

• E.g., Unix permissions• Set access conditions on a file so that only a

group of your choosing can read it• Anyone with access can propagate the

information by resetting permissions

Mandatory Access Control

• Security authority sets permissions• Only security authority can propagate

information• Violations are very serious

Orderings

• TS > S > C• How about

– (S//NUC//NOFORN) vs TS?– (TS//EUR/25x1) vs (TS//CRYPTO//PROPIN)?

Access Control Models

O1 O2 O3 O4

S1

S2 operation

S3

S4

Read (observe)Write (observe, alter)

Execute (no observe, no alter)Append (alter, no observe)

(S,O,R) YES/NO

Accesses take system from state to state

(S,a, read)

(T,b, append)

σ1

σ2

σ3

If you start in a secure state do you end up in a secure state?

All accesses must be allowed by MAC rules

Granting Access Should Not Violate MAC

Object

Object

High Level

LowLevel

Subject

WRITE

? READ

Flow of information

Simple Security Property

• The current level of a subject dominates the level of every object that it observes

• Like paper systems• “No read up”

*-Property

• If S can observe a and alter b, then a ≤ b• “No write down”

Partial Orders

• S = {a1,a2,…,an}• P = (S, ≤) is a PO iff

– If a ≤ b and b ≤ a, then a = b (anti-symmetric)– If a ≤ b and b ≤ c, then a ≤ c (transitive)– a ≤ a (reflexive)

• Examples– Natural numbers under ≤– Subsets under

• How about– Choices on a ballot under “is preferred to”?– People under “trusts”?

Lattices

• A POSET S• Every subset of S has a greatest lower bound• Every subset of S has a least upper bound

x

x1 x2

x3 x4 x5

SSubset of S

LUBThese are all upper bounds

Security Levels

• A security level is a pair (c,s) where– c is a classification from a POSET of classifications

(e.g., U,S,TS but the exact classfications don’t matter)

– s is a set of categories (e.g., NUC,CRYPTO,… but the exact categories don’t matter)

• (c1,s1) ≥ (c2,s2) iff c1 ≥ c2 and s2s1

• Levels form a lattice

Assigning Security Levels to Subjects and Objects

• level(S), level(O) = security level of S,O• current-level(S) = levels at which S can operate• current-level(S) ≤ level(S)• level(S) = max(current-level(S)) is called S’s

clearance

Security Properties

• SS-property:For any (S,O,A) if A includes observation then

level(S) ≥ level(O)• *-property

For any (S,O,A)r A implies current-level(S) ≥ level(O) a A implies current-level(S)≤level(O)w A implies current-level(S) = level(O)

No read up

No write down

If a subject can observe O1 and modify O2 the level(O2)≥level(O1)

Lattice ModelInformation only flows up the latticeSystem enforces SS and * properties

A MAC Implementation

• Unix file system• Label all files and directory with levels• Assign level(u) to each user u• u is initially assigned the lowest current-level• Allow current-level(u) to float as higher level files

are observed• If level(u) < current-level(u) issue kill(u)• If level(f) < level(u) and u writes to f issue kill(u)• Is this secure?

Covert Channels• Low bandwidth• Outside the models

– Channel not designed for communication– Shared resource– Allows information to be transmitted from High to Low (*-property violation)

• Semantics

Scotland Yard Detective Gregory : "Is there any other point to which you would wish to draw my attention?“

Holmes: "To the curious incident of the dog in the night-time.“

Gregory: "The dog did nothing in the night-time.“

Holmes: "That was the curious incident

Example

• High Process: If bit i of protected file is 1 then position disk head at time t = i outside the current volume

• Low Process: detect position of head at time t=i

Types of Channels

• Storage channel• Timing channel• Sequential process ids• Shared file locks• File access times• Application channels• IRC Signalling

Other Access Control Models

• Biba Integrity Model• Lampson-Graham-Denning• Harrison-Ruzzo-Ullman• Take-Grant

Trusted Systems

• Orange Book• Trusted Network Interpretation• Common Criteria• European and Candadian Criteria

Trust Levels

• D – no requirements• C1/C2/B1 – commercial strength security

features• B2 – rigorous demonstration of security by

mathematical analysis (“proof”)• B3/A1 – formal designs and mathematical

proof

Commercial Protection• C1

– Discretionary security protection– Cooperating users– All data at same senistivity level– Tamper-resistant

• C2– Controlled access protection– Finer grained than C1– Audit trails

• B1– Labeled security protection– Each subject and object assigned its own level– Bell-Lapadula – DAC to provide further controls

Structured Protection and Security Domains

• B2 = B1 + Design Requirement– Verifiable Top Level Design– Testing to verify that implementation satisfies design– Design consisting of well-defined independent modules– Principle of Least Privilege enforced

• B3 = B2 + Testing Requirements – Small, tamperproof security functions– Audit functions required– High level design that is complete and conceptually simple– Convincing argument that system implements design– Exhibits good design practice

• Layering• Abstraction• Information hiding

A1 = Formally Verified = B3 + the following

• Formal model of the protection systems and a mathematical proof of its consistency and adequacy

• Formal top-level specification of the protection system

• Demonstration that the specification conforms to the model

• Implementation informally shown to be consistent with the specifications

• Formal analysis of covert channels

Modern Trust Models

• Capability-based • MAC and DAC Implemented using same

mechanisms• Heavy reliance on application trust features• Hardware enforced separation• Virtualization and Hypervisors

An Early Hypervisor

TCPA

Itanium® Processor (IA-64) Architecture

• High performance on encryption protocols

• Fine-grained memory protection

• Two additional levels of privilege protection

IA-64 Privilege Level 0

• Access to– Privileged system registers– Privileged instructions

• Page creation• Direct access to physical memory

• Invoking PL-0 from PL-1 to PL-3– Interrupts– Explicit PL-0 request “epc”

Secure platform architecture

• Root of trust in protected memory of trusted platform• Secure Platform Kernel (SPK) loaded by secure boot

• Operating systems are ported to the SPA

Structure of Secure Platform

• Abstracts ABI, physical resources and interrupts

• PL-0 reserved for SPK: minimal certified code (known to CRTM)

• PL-1 hosts global services for – I/O notification– Multiple OS images– Protection domains– Non-OS applications

• PL-2 hosts OS images• Applications reside in PL-3

SP Characteristics

• Secure paging• Operating systems and device drivers

run as unprivileged tasks• Privileged operations are

authenticated and performed by secure platform kernel

• Self-healing data structures• “Baileys” separate SPK, SPGS and OS

“How does it work?”

• multiple containment rings inherently limit intrusion

• operating systems and device drivers run as unprivileged tasks

• privileged operations are authenticated and performed by secure platform kernel

• code and data are protected from inadvertent and malicious execution or modification

• multiple OS images run securely on the same system

SP Virtual Addressing

• Region ID’s provide– Memory isolation– Protection keys– Fine-grain permission control

• Upper half of Region 7 reserved for SPK/SPGS

• Operating Systems run virtual in lower half of Region 7

• Regions 0-6 available for OS assignment

• SPK – manages region ID assignments– Allocates pages for mapping

virtual addresses

Privileged Operations

• OS executes as unprivileged task at PL-2

• Privileged functions invoked by epc call

• Lightweight paths are implemented for simple operations

Unprivileged Callbacks

• Similar to Unix signals• Interrupts handled by SPK• UPC mechanism enables

asynchronous notification to a less privileged level

• Exceptions and faults that cannot be handled by SPK are passed to the SPGS

Secure paging

• Protection for data on paging device– Device theft– Raw device access

• Requires pre-allocated shadow page pool

• Penaly: 1 cycle per bit using 128 bit key

• Keys are hidden in SPK, accessed through handles

Denial of Service Attacks

• SPK signals PL-2 which never returns• Attacker repeats instruction path• Context stack grows until SPK fault• Asynchronous UPC thwarts attack

– SPK executes single thread– Eventually fails to allocate space for UPC list entry– PL-2 process fails– SPK never has to unwind context stack

Services• Data protection• Client integrity• Authorized network connection• Remote attestation• Web administration• Connected laptop• Mobile services• Virus definition reporting• Remote management• Smart card function (eg two factor authorization)• Public hot desking• Trusted kiosk• First responder Services